LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Debian
Reload this Page add reload and restart options to the firewall script
User Name
Password
Debian This forum is for the discussion of Debian Linux.

Notices

Reply
 
LinkBack Search this Thread
Old 09-26-2006, 07:14 PM   #1
cccc
Senior Member
 
Registered: Sep 2003
Distribution: Debian Squeeze / Wheezy
Posts: 1,385

Rep: Reputation: 37
add reload and restart options to the firewall script

hi

on my debian sarge stable I have the following firewall script:
Code:
#!/bin/sh

EXT_IF="eth0"
INT_IF="eth1"
LOCAL_LAN="192.168.115.0/24"
REMOTE_LAN1="192.168.0.0/24"
REMOTE_LAN2="192.168.1.0/24"
REMOTE_LAN3="10.0.0.0/8"
IPTABLES="/sbin/iptables"

$IPTABLES -t mangle -F
$IPTABLES -t mangle -X
$IPTABLES -t nat -F
$IPTABLES -t nat -X
$IPTABLES -F
$IPTABLES -X


case "$1" in
   start)
     echo -n "Starting firewall.." 

# Flush then restrict
$IPTABLES -F
$IPTABLES -P FORWARD DROP
$IPTABLES -P INPUT DROP 
$IPTABLES -P OUTPUT ACCEPT



# SYN-flood atack protection
$IPTABLES -A INPUT -p tcp --syn -m limit --limit 1/s -j ACCEPT
$IPTABLES -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT

# Disable ping
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j DROP
$IPTABLES -A INPUT -p icmp --icmp-type echo-reply -j DROP



# Public Networks
$IPTABLES -A INPUT -s 202.X.X.0/28 -j ACCEPT

# Allowed Services
$IPTABLES -A INPUT -p tcp -m multiport --dport 80,443 -i eth0 -j ACCEPT

# Allow DNS
$IPTABLES -A INPUT -p tcp --dport 53 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 53 -j ACCEPT

# Allow FTP
$IPTABLES -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT

# Allow SSH
$IPTABLES -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

# Allow SMTP
$IPTABLES -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT

# Allow IMAP
$IPTABLES -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT

# Allow SSL encryption
$IPTABLES -A INPUT -p tcp -m tcp --dport 465 -j ACCEPT

# Allow access from LAN
$IPTABLES -t nat -A POSTROUTING -s $LOCAL_LAN -o $EXT_IF -j SNAT --to 202.X.X.2

# Mark VPN packets
$IPTABLES -t mangle -A PREROUTING -i $EXT_IF -p esp -j MARK --set-mark 1 #VPN

#$IPTABLES -t nat -A PREROUTING -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -t nat -A PREROUTING -s $REMOTE_LAN1 -i $EXT_IF -m mark --mark 1 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -s $REMOTE_LAN2 -i $EXT_IF -m mark --mark 1 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -s $REMOTE_LAN3 -i $EXT_IF -m mark --mark 1 -j ACCEPT

$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

$IPTABLES -A INPUT -i eth1 -p icmp -j ACCEPT
$IPTABLES -A INPUT -i $EXT_IF -p udp -m udp --dport 500 -j ACCEPT #VPN
$IPTABLES -A INPUT -i $EXT_IF -m mark --mark 1 -j ACCEPT

$IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $EXT_IF -m mark --mark 1 -j ACCEPT
$IPTABLES -A FORWARD -i $INT_IF -j ACCEPT

# Allow loopback-device
$IPTABLES -A INPUT -i lo -j ACCEPT

# Spoof protection
$IPTABLES -t nat -A PREROUTING -d $LOCAL_LAN -i $EXT_IF -j DROP



echo "..done"
     ;;
   stop)
     echo -n "Stopping firewall.."
     $IPTABLES -F
     $IPTABLES -P FORWARD DROP
     $IPTABLES -P OUTPUT ACCEPT
     $IPTABLES -P INPUT ACCEPT
     echo "done"
     ;;
   *)
     echo "Usage: $NAME {start|stop}"
     exit 1
     ;;
esac
howto add reload and restart options to this script ?
 
Old 09-26-2006, 07:47 PM   #2
chadl
Member
 
Registered: Sep 2005
Location: US
Distribution: Gentoo AMD64 Testing
Posts: 129

Rep: Reputation: 15
Here is an example of how I have done something like that in the past:
Code:
#!/bin/bash
case "$1" in
        start)
                echo "Starting"
                ;;
        stop)
                echo "Stoping"
                ;;
        restart)
                echo "Restarting"
                $0 stop
                $0 start
                ;;
        reload)
                echo "Reloading"
                $0 start
                ;;
        *)
                echo "Unknown command" 1>&2
                ;;
esac
This will just run the script with the stop command, and then the start command when you tell it to restart, and it will run the start command when you tell it to reload (you may have to edit the actions to what you want).

$0 stands for the name of the command, so it is just a quick way of calling itself. In this script, if you put it in a file and make it executable, when you run it with:
Code:
 ./test.sh restart
Then it will print out Restarting, then Stoping, then Starting. "reload" will just print out Reloading and then starting.
Last edited by chadl; 09-26-2006 at 07:55 PM.
 
Old 09-27-2006, 05:11 AM   #3
cccc
Senior Member
 
Registered: Sep 2003
Distribution: Debian Squeeze / Wheezy
Posts: 1,385

Original Poster
Rep: Reputation: 37
thanks a lot !

I changed and hope it's OK now:
Code:
#!/bin/sh

EXT_IF="eth0"
INT_IF="eth1"
LOCAL_LAN="192.168.115.0/24"
REMOTE_LAN1="192.168.0.0/24"
REMOTE_LAN2="192.168.1.0/24"
REMOTE_LAN3="10.0.0.0/8"
IPTABLES="/sbin/iptables"

$IPTABLES -t mangle -F
$IPTABLES -t mangle -X
$IPTABLES -t nat -F
$IPTABLES -t nat -X
$IPTABLES -F
$IPTABLES -X


case "$1" in
   start)
     echo -n "Starting firewall.."    


# Flush then restrict
$IPTABLES -F
$IPTABLES -P FORWARD DROP
$IPTABLES -P INPUT DROP 
$IPTABLES -P OUTPUT ACCEPT



# SYN-flood atack protection
$IPTABLES -A INPUT -p tcp --syn -m limit --limit 1/s -j ACCEPT
$IPTABLES -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT

# Disable ping
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j DROP
$IPTABLES -A INPUT -p icmp --icmp-type echo-reply -j DROP



# Public Networks
$IPTABLES -A INPUT -s 202.X.X.0/28 -j ACCEPT

# Allowed Services
$IPTABLES -A INPUT -p tcp -m multiport --dport 80,443 -i eth0 -j ACCEPT

# Allow DNS
$IPTABLES -A INPUT -p tcp --dport 53 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 53 -j ACCEPT

# Allow FTP
$IPTABLES -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT

# Allow SSH
$IPTABLES -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

# Allow SMTP
$IPTABLES -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT

# Allow IMAP
$IPTABLES -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT

# Allow SSL encryption
$IPTABLES -A INPUT -p tcp -m tcp --dport 465 -j ACCEPT

# Allow access from LAN
$IPTABLES -t nat -A POSTROUTING -s $LOCAL_LAN -o $EXT_IF -j SNAT --to 202.X.X.2

# Mark VPN packets
$IPTABLES -t mangle -A PREROUTING -i $EXT_IF -p esp -j MARK --set-mark 1 #VPN

#$IPTABLES -t nat -A PREROUTING -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -t nat -A PREROUTING -s $REMOTE_LAN1 -i $EXT_IF -m mark --mark 1 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -s $REMOTE_LAN2 -i $EXT_IF -m mark --mark 1 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -s $REMOTE_LAN3 -i $EXT_IF -m mark --mark 1 -j ACCEPT

$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

$IPTABLES -A INPUT -i eth1 -p icmp -j ACCEPT
$IPTABLES -A INPUT -i $EXT_IF -p udp -m udp --dport 500 -j ACCEPT #VPN
$IPTABLES -A INPUT -i $EXT_IF -m mark --mark 1 -j ACCEPT

$IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $EXT_IF -m mark --mark 1 -j ACCEPT
$IPTABLES -A FORWARD -i $INT_IF -j ACCEPT

# Allow loopback-device
$IPTABLES -A INPUT -i lo -j ACCEPT

# Spoof protection
$IPTABLES -t nat -A PREROUTING -d $LOCAL_LAN -i $EXT_IF -j DROP



echo "..done"
                ;;

        stop)  

                echo -n "Stopping firewall.."
                $IPTABLES -F
                $IPTABLES -P FORWARD DROP
                $IPTABLES -P OUTPUT ACCEPT
                $IPTABLES -P INPUT ACCEPT
                echo "done"                        
                   
                ;;
        restart)
                echo -n "Restarting firewall.."
                $IPTABLES -F
                $IPTABLES -P FORWARD DROP
                $IPTABLES -P OUTPUT ACCEPT
                $IPTABLES -P INPUT ACCEPT                             
                $0 stop
                $0 start
                ;;
        reload)
                echo "Reloading"
                $0 start
                ;;
        *)
                echo "Unknown command" 1>&2
                ;;
esac
 
  


Reply

Tags
iptables, shell script


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Tomcat reload servlet is very slow, but reload jsp is fast and good? gsbarry Programming 2 04-28-2006 10:34 PM
How to reload /etc/my.cnf without restart mysqld? Chowroc Linux - Software 4 01-16-2006 12:52 PM
how to restart dns resolve or add route? exper Solaris / OpenSolaris 4 06-17-2005 08:59 PM
Add harddisk withour restart mates007 Linux - Hardware 5 03-22-2004 12:07 PM
Automating firewall reload on i/f (ppp) restart aelms Linux - Security 0 10-25-2003 03:14 PM


All times are GMT -5. The time now is 02:41 PM.

Contact Us - Advertising Info - Rules - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
 
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: @linuxquestions
Open Source Consulting | Domain Registration